Use SAML Just-in-Time User Provisioning in a SAML SSO Environment

If you are using an isolated domain (see Default and Custom Domains) and have Single Sign-On (SSO) based on SAML (Security Assertion Markup Language, see SAML SSO with GoodData), you can use SAML Just-in-Time (JIT) provisioning.

With JIT, you do not have to create and configure users in advance. JIT creates users when they log in for the first time. When a user tries to log in to the GoodData platform with SSO, a GoodData account is automatically created for them and the user is granted access to the specified GoodData workspace. The user’s details and the ID of the GoodData workspace to grant access to are provided as part of Identity Provider metadata.

Enable Just-in-Time User Provisioning

If you do not yet have SAML SSO implemented, do the following:

  1. Configure the SAML SSO service for your domain. If you have multiple SSO providers using the Identify Provider-initiated configuration, you can have JIT provisioning enabled for some or all of them.
  2. When configuring an SSO environment on your side, configure your Identity Provider to send SAML assertions with JIT attributes.

RelayState

The RelayState parameter specifies the URI in GoodData where the user is redirected after a successful login.

The RelayState parameter is case-sensitive and must be sent in the body of a HTTP POST request. The value of the RelayState parameter must be an absolute URL.

For information about constructing URLs pointing to specific embedded dashboards using the workspace ID or a combination of the client ID and data product ID, see Embedding Code Formats.

SAML Response Assertion

GoodData processes the first valid Assertion element in the SAML response. An Assertion element is valid when it is signed and has valid subject, conditions and issuer child elements.

The AttributeStatement element that contains provisioning attributes must be included in the same Assertion element where the subject element is included.

Because the first valid Assertion element is retrieved and used, multiple Assertion elements are not supported.

Example: SAML Message

The following is an example of the SAML message with the mandatory SAML attributes provided and project.id that is used to identify the workspace where users should be provisioned.

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://{your-subdomain-name}.on.gooddata.com/gdc/account/samllogin" ID="RESPONSE_ID" IssueInstant="2018-11-01T12:24:36.280Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ISSUER_ID</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
         <ds:Reference URI="#RESPONSE_ID">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:DigestValue>DIGEST_VALUE</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>SIGNATURE_VALUE</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>CERT_VALUE</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </saml2p:Status>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="RESPONSE_ID" IssueInstant="2018-11-01T12:24:36.280Z" Version="2.0">
      <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ISSUER_ID</saml2:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#ASSERTION_ID">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                     <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
                  </ds:Transform>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
               <ds:DigestValue>ASSERTION_DIGEST_VALUE</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>SIGNATURE_VALUE</ds:SignatureValue>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>CERT_VALUE</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </ds:Signature>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">GOODDATA_USER_LOGIN</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData NotOnOrAfter="2018-11-01T12:29:36.280Z" Recipient="https://{your-subdomain-name}.on.gooddata.com/gdc/account/samllogin" />
         </saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:Conditions NotBefore="2018-11-01T12:19:36.280Z" NotOnOrAfter="2018-11-01T12:29:36.280Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>GoodData</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      <saml2:AuthnStatement AuthnInstant="2018-11-01T12:24:36.280Z" SessionIndex="ASSERTION_ID">
         <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
         </saml2:AuthnContext>
      </saml2:AuthnStatement>
      <saml2:AttributeStatement>
         <saml2:Attribute Name="jit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">true</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="project.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">PROJECT_ID</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="user.firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FIRST_NAME</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="user.lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">LAST_NAME</saml2:AttributeValue>
         </saml2:Attribute>
      </saml2:AttributeStatement>
   </saml2:Assertion>
</saml2p:Response>

 

The following is an example of the AttributeStatement element that uses the dataproduct.id and client.id SAML attributes to identify the workspace:

<saml2:AttributeStatement>
         <saml2:Attribute Name="jit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">true</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="dataproduct.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">DATA_PRODUCT_ID</saml2:AttributeValue>
         </saml2:Attribute>
        <saml2:Attribute Name="client.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CLIENT_ID</saml2:AttributeValue>
         </saml2:Attribute>         
  <saml2:Attribute Name="user.firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FIRST_NAME</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="user.lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SECOND_NAME</saml2:AttributeValue>
         </saml2:Attribute>
</saml2:AttributeStatement>